Re: icmp: echo reply? Am I being attacked?
OK, it's done!
I have tried: "tcpdump icmp > tcpdump_results2" and "tcpdump icmp >
tcpdump_results3".
The files are at: http://xenon4.fe.up.pt/tcpdump_results2 and
http://xenon4.fe.up.pt/tcpdump_results3
Ranko Veselinovic <rvjunior@gmx.net> sent me privatly the followin
e-mail which I think might be relevant for the issue in question:
_______________________
I'm not sure but I think when you send an ICMP ECHO-Request to a
broadcast
address that the whole network will answer whit echo-replys.
I think this is a kind of smurf-attack and the address where the replys
where sent is the target of the attacker. You were just abuse for this
attack.
greets
Ranko
________________________
Now I think I'm starting to understand what has been going on. In fact,
there are several "echo request" to the adress 193.136.29.0 (my IP
adress is 193.136.29.189). What I still don't understand is why windows
machines don't reply to this atack and Unix machines do. Also, do you
know how can I block this atack?
Anyway, thank you for bringing some light into my mind. At least now I
have an idea of what has been going on.
Nuno Faria
Michael Stone wrote:
>
> On Thu, Jul 27, 2000 at 08:56:21AM +0100, Nuno Faria wrote:
> > Yes, I had already noticed that when I ping a machine, the packets show
> > up in tcpdump as a series of echo-requests and echo-replys, but in this
> > case I can't find the echo-requests.
>
> Try "tcpdump icmp". That will show you all icmp traffic. Look for echo
> requests coming from the remote system, especially going to a broadcast
> address. (Something like x.x.x.255) Let us know what you find.
>
> --
> Mike Stone
Reply to: